Refactor tls code to support ucspi-tls

 That includes:
 - new architecture: the tls binary is now a child of the app
instead of the other way around
 - the sbearssl_run engine now takes a post-handshake callback.
This allows s6-tlsc and s6-tlsd to only exec into the app when
the handshake succeeds (which was already the case with libressl).
 - new binaries s6-tlsc-io and s6-tlsd-io encapsulate the crypto
code; they init and run the engine, connecting to 4 already open
fds (stdin/stdout = network, argv[1] and argv[2] = local)
 - s6-tlsc is now a simple wrapper around s6-tlsc-io
 - s6-tlsd is now a simple wrapper around s6-tlsd-io
 - new binary: s6-ucspitlsd, which is also a wrapper around
s6-tlsd-io, but differently: the parent execs the app which should
be ucspi-tls-aware, the child waits for a command from the parent
and execs into s6-tlsd-io if it receives it.

1 files changed, 43 insertions, 45 deletions

diff --git a/src/conn-tools/s6-tlsc.c b/src/conn-tools/s6-tlsc.c
index d9df81c..6431ccb 100644
--- a/src/conn-tools/s6-tlsc.c
+++ b/src/conn-tools/s6-tlsc.c
@@ -2,67 +2,63 @@
 
 #include <stdint.h>
 #include <unistd.h>
-#include <errno.h>
+#include <fcntl.h>
+
+#include <skalibs/gccattributes.h>
 #include <skalibs/types.h>
 #include <skalibs/sgetopt.h>
 #include <skalibs/strerr2.h>
-#include <skalibs/tai.h>
 #include <skalibs/env.h>
 #include <skalibs/djbunix.h>
-#include <s6-networking/config.h>
-
-#ifdef S6_NETWORKING_USE_TLS
-
-#include <s6-networking/stls.h>
-#define s6tlsc stls_s6tlsc
-
-#else
-#ifdef S6_NETWORKING_USE_BEARSSL
-
-#include <s6-networking/sbearssl.h>
-#define s6tlsc sbearssl_s6tlsc
-
-#else
-
-#error No SSL backend configured.
-
-#endif
-#endif
 
+#include "s6tls-internal.h"
 
 #define USAGE "s6-tlsc [ -S | -s ]  [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -k servername ] [ -Z | -z ] [ -6 rfd ] [ -7 wfd ] prog..."
 #define dieusage() strerr_dieusage(100, USAGE)
 
-int main (int argc, char const *const *argv, char const *const *envp)
+static void child (int const [3][2], int, int, uint32_t, unsigned int, unsigned int, char const *) gccattr_noreturn ;
+static void child (int const p[3][2], int fdr, int fdw, uint32_t options, unsigned int verbosity, unsigned int kimeout, char const *servername)
+{
+  int fds[3] = { p[0][0], p[1][1], p[2][1] } ;
+  PROG = "s6-tlsc (child)" ;
+  s6tls_drop() ;
+  close(p[2][0]) ;
+  close(p[0][1]) ;
+  close(p[1][0]) ;
+  if (fd_move(0, fdr) < 0 || fd_move(1, fdw) < 0)
+    strerr_diefu1sys(111, "move network fds to stdin/stdout") ;
+  s6tls_exec_tlscio(fds, options, verbosity, kimeout, servername) ;
+}
+
+int main (int argc, char const *const *argv)
 {
+  int fds[2] = { 6, 7 } ;
   char const *servername = 0 ;
-  tain_t tto ;
   unsigned int verbosity = 1 ;
-  uid_t uid = 0 ;
-  gid_t gid = 0 ;
-  uint32_t preoptions = 2 ;
-  uint32_t options = 1 ;
-  int fds[2] = { 6, 7 } ;
+  unsigned int kimeout = 0 ;
+  int p[3][2] ;
+  uint32_t options = 0 ;
+  int cleanenv = 1 ;
+  pid_t pid ;
 
   PROG = "s6-tlsc" ;
   {
     subgetopt_t l = SUBGETOPT_ZERO ;
-    unsigned int t = 0 ;
     for (;;)
     {
       int opt = subgetopt_r(argc, argv, "SsYyv:K:k:Zz6:7:", &l) ;
       if (opt == -1) break ;
       switch (opt)
       {
-        case 'S' : options &= ~(uint32_t)1 ; break ;
-        case 's' : options |= 1 ; break ;
-        case 'Y' : preoptions &= ~(uint32_t)1 ; break ;
-        case 'y' : preoptions |= 1 ; break ;
+        case 'S' : options &= ~4 ; break ;
+        case 's' : options |= 4 ; break ;
+        case 'Y' : options &= ~1 ; break ;
+        case 'y' : options |= 1 ; break ;
         case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
-        case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
+        case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ;
         case 'k' : servername = l.arg ; break ;
-        case 'Z' : preoptions &= ~(uint32_t)2 ; break ;
-        case 'z' : preoptions |= 2 ; break ;
+        case 'Z' : cleanenv = 0 ; break ;
+        case 'z' : cleanenv = 1 ; break ;
         case '6' :
         {
           unsigned int fd ;
@@ -81,18 +77,20 @@ int main (int argc, char const *const *argv, char const *const *envp)
       }
     }
     argc -= l.ind ; argv += l.ind ;
-    if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ;
   }
   if (!argc) dieusage() ;
-
-  if (!getuid())
+  fd_sanitize() ;
+  if (fcntl(fds[0], F_GETFD) < 0 || fcntl(fds[1], F_GETFD) < 0)
+    strerr_diefu1sys(111, "check network fds") ;
+  if (pipe(p[0]) < 0 || pipe(p[1]) < 0 || pipe(p[2]) < 0)
+    strerr_diefu1sys(111, "pipe") ;
+  pid = fork() ;
+  switch (pid)
   {
-    char const *x = env_get2(envp, "TLS_UID") ;
-    if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ;
-    x = env_get2(envp, "TLS_GID") ;
-    if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ;
+    case -1 : strerr_diefu1sys(111, "fork") ;
+    case 0 : child(p, fds[0], fds[1], options, verbosity, kimeout, servername) ;
+    default : break ;
   }
 
-  tain_now_set_stopwatch_g() ;
-  return s6tlsc(argv, envp, &tto, preoptions, options, uid, gid, verbosity, servername, fds) ;
+  s6tls_wait_and_exec_app(argv, p, pid, fds[0], fds[1], cleanenv ? 1 : 0) ;
 }